Business email compromise scammers from Nigeria were found targeting COVID-19 research institutions, pandemic response agencies, and government healthcare organizations to get falsified wire transfer payments and install malware.

Palo Alto Networks’ Unit 42 team researchers detected the attacks linked to a cybercriminal group called SilverTerrier. The threat actors of this group have been very active in the last 12 months having conducted around 2.1 million BEC attacks since 2014. Last year, the group performed about 92,739 attacks each month, with June having the highest activities of 245,637 attacks.

The group was found exploiting vulnerability CVE-2017-11882 in Microsoft Office and installing malware, although in most cases employs spear-phishing emails to target people working in the finance team. The group utilizes standard phishing baits like phony invoices and payment advice notices to fool recipients into clicking open malicious email attachments that prompt malware installation. The gang uses a number of malware variants, such as information stealers (Lokibot, PredatorPain, and Pony) and remote admin tools to retain persistent access to breached networks. The gang utilizes malware for stealing sensitive data and gaining access to payroll systems and bank accounts. BEC attacks are likewise performed to get falsified wire transfer payments.

Unit 42 researchers have followed what three threat actors from the group were doing in the last 3 months. They know who carried out 10 COVID-19 inspired malware campaigns on institutions engaged in responding to COVID-19 in Australia, Italy, Canada, the United States and the United Kingdom.

The latest targets included government healthcare organizations, local and regional governments, insurance providers, medical publishing firms, research companies, and universities with medical programs and medical facilities. The researchers identified 170 unique phishing emails, a number of which were linked to face masks supplies and personal protective equipment.

There were 172% more SilverTerrier attacks in 2019 and Palo Alto Networks data shows no sign of the attacks slowing down in 2020. Therefore, government organizations, public utilities, healthcare, and insurance companies, and universities with medical programs should be extra careful with COVID-19-related emails with attachments. Because the attacks are typically performed via email, the best security is to train the staff to distinguish spear-phishing emails and to use an advanced spam filtering program to stop the delivery of spam to inboxes. It is additionally crucial to check for the CVE-2017-11882 Microsoft Office vulnerability and apply patches immediately.